Evernote Breach: 7 Security Lessons

Both cloud service providers and users should heed the security takeaways from Evernote's breach and response.

Anonymous: 10 Things We Have Learned In 2013

(click image for larger view and for slideshow)

Evernote Sunday informed its 50 million users via email that it had suffered a data breach and suspected that usernames, email addresses and encrypted passwords may have been stolen.

"Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service," read the "Evernote Security Notice: Service-wide Password Reset" email sent to users, which was also posted as a blog and to the Evernote Facebook page. "As a precaution to protect your data, we have decided to implement a password reset [for all users]."

What lessons can be learned from Evernote's data breach, as well as the company's handing of the incident? Here are seven security takeaways:

1. Detail What Attackers Took.
Kudos to Evernote for broadcasting a security warning -- across multiple channels -- that clearly stated what attackers apparently took, as well as how that data was protected. "The investigation has shown ... that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords," stated the company's email to users. "Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption."

The good news for Evernote users is that the company had salted and hashed their passwords -- unlike LinkedIn, which only hashed its passwords, thus making them more susceptible to being brute-force cracked offline and in relatively little time after attackers hacked into LinkedIn last year. While hashing isn't foolproof, it likely bought Evernote -- and its users -- extra time to detect and then respond to the breach.

2. Exercise An Abundance Of Caution.
Evernote opted to expire all passwords rather than attempting to first identify which usernames attackers may or may not have stolen. "While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure," it said. "This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

More good news is that no Evernote user content appeared to have been stolen. "In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost," read the company's data breach notification. "We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed," referring to the 4% of Evernote's users -- as of June 2012 -- who are paying customers.

3. Lock Down Weak Points.
How did attackers hack into Evernote? The company didn't disclose that information in its email to customers. But since Saturday, the service has released a flurry of application upgrades for its Windows, Mac, Android and iOS clients.

Some users Sunday reported difficulty resetting their passwords after receiving the breach notification, noting that the Evernote website wasn't recognizing their email address. Evernote VP of marketing Andrew Sinkov advised users, via the Evernote help forum, to first upgrade their software. "Make sure to update all versions of Evernote that you use," he said in a Sunday post. "We've released a number of updates in the past day. After that, go to evernote.com and set your new password."

4. Don't Include Website Links In Password Reset Emails.
Businesses that have had users' email addresses stolen face a dilemma: The "reset your password" emails they send out are often mistaken by users for spam or spear-phishing attacks, because that's so often what they are.

Correctly, Evernote's Sunday email to all of its users does warn them that they should never click a "password reset" link in an email, but rather browse directly to the site itself. But Graham Cluley, senior technology consultant at Sophos, pointed out that those same emails include "password reset" links to the Evernote website, by way of third-party domain mkt5371.com.

"This was just carelessness on Evernote's part," Cluley said in a blog post. "mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users. The links in this case do end up taking you to Evernote's website -- but go silently via Silverpop's systems first. Presumably that's so Evernote can track and collect data on how successful the email campaign has been." Still, it's not ideal.

5. Users: Prepare To Be Spammed.
The good news for Evernote's users is that attackers don't appear to have stolen any of their content, which is a big concern for a cloud service that's used as a note-taking tool by millions of people. The bad news, however, is that attackers may have what they came for: a list of 50 million working usernames and email addresses. What's the risk? For starters, they could send fake password-reset emails to every Evernote customer.

Expect the attackers to keep the information to hand for future spam campaigns. Indeed, Slashgear reported Saturday that some users of Dropbox -- which was hacked in July 2012 -- have been reporting a sudden influx of spam emails that appear to be from LinkedIn or PayPal, as well as undisguised offers from online gambling sites and casinos. Some users have also reported receiving the spam via email addresses they've set up solely to receive Dropbox communications.

Rather than the spam emails being the result a new hack, however, Dropbox officials told Slashgear that they suspect it's just a delayed effect from when the service was hacked. In other words, the Dropbox hackers have kept the stolen email addresses and are using them as they see fit. Evernote users can expect the same to happen to them.

6. Hack Attack Volume Not Diminishing.
Evernote declined to say when it had been hacked. Likewise, its data breach notification email didn't tie its breach to any other specific attacks, noting only that "as recent events with other large services have demonstrated, this type of activity is becoming more common." But might the hack of Evernote have been the work of the same attackers who used watering-hole attacks to hack into Apple, Facebook, Microsoft and Twitter?

The Twitter data breach, which resulted in the compromise of 250,000 accounts, apparently occurred in late January. But tracing the attacks' source evidently took more time, as the moderator of the third-party iOS developer site iPhoneDevSDK that was surreptitiously used by attackers to launch drive-by attacks wasn't informed of the attacks until February 19. That would have given attackers a lengthy window to infect iOS developers at other businesses -- perhaps including Evernote.

7. Two-Factor Authentication Needed, Please.
What should be done about the increased number of attacks against businesses such as Evernote and Twitter, and the resulting compromise of usernames, emails and passwords? For starters, when it comes to securing users' accounts, businesses must look beyond passwords. As noted by InformationWeek columnist Jonathan Feldman -- Evernote Breach: What It Means To Enterprise IT -- too few businesses have followed the security example set by game maker Blizzard, which offers its users a $6.50 two-factor authentication token, as well as a two-factor smartphone authenticator. Notably, two-factor authentication would have prevented the Evernote hackers from using any passwords they successfully decrypted.

If both Blizzard and Google can do it, what's stopping cloud services such as Twitter and Evernote from offering better security to their users? An Evernote spokeswoman didn't immediately respond to an email (sent out of normal working hours) about whether the company was evaluating or planning to roll out two-factor authentication for its users.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Evernote seems to have responded well to the breach with a universal password reset for its users. It should also take a page from Bit9 and eventually explain how the breach actually occurred--sharing lessons learned helps everyone.

Matthew, I think there's another important element to Lesson #5 that's worth considering...

As you stated, email addresses are nearly as valuable as account passwords, since they enable future attack opportunities, so why not apply the same level of protection to email addresses as for the passwords themselves? This one additional security measure could have rendered the stolen data far less valuable to the thieves!

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.